Repository: govuk-dependabot-merger

GitHub Action for auto-merging Dependabot PRs as per RFC-156

• GitHub: govuk-dependabot-merger
• Ownership: #govuk-platform-engineering owns the repo. #govuk-platform-support receives automated alerts for this repo.
• Category: Utilities

README

This repository runs a daily GitHub action that automatically approves and merges certain Dependabot PRs for opted-in GOV.UK repos, according to strict criteria set out in RFC-167.

Note that govuk-dependabot-merger will avoid merging a PR if it has a failing GitHub Action CI workflow called CI, as per convention. It will also avoid running altogether on weekends and bank holidays.

Usage

To opt into the govuk-dependabot-merger service, first create a .govuk_dependabot_merger.yml config file at the root of your repository. Configure the file with an array of dependencies and associated semver bumps that you would like the service to merge for you.

For example:

api_version: 2
defaults:
  update_external_dependencies: false # default: false
  auto_merge: true # default: true
  allowed_semver_bumps: # allowed values: `[patch, minor, major]`
    - patch
    - minor
  # The above sets the default policy for all dependencies in your project.
  # But each of the above properties can be overridden on a per-dependency basis below.
overrides:
  # Example of overriding `allowed_semver_bumps`:
  - dependency: rails
    allowed_semver_bumps:
      - patch # minor/major bumps should be upgraded manually. See https://docs.publishing.service.gov.uk/manual/keeping-software-current.html#rails
  # Example of opting a specific dependency out of automatic patching:
  - dependency: gds-api-adapters
    auto_merge: false
  # Example of opting a specific dependency into automatic patching:
  - dependency: rspec
    update_external_dependencies: true

After you’ve merged your config file into your main branch, you just need to add your repository to the config/repos_opted_in.yml list in govuk-dependabot-merger.

Technical documentation

Running the test suite

To run the linter:

bundle exec rubocop

To run the tests:

bundle exec rspec

Using the merger locally

The repo expects an AUTO_MERGE_TOKEN environment variable to be defined. This should be a GitHub API token with sufficient scope.

You can then run the merger with:

bundle exec ruby bin/merge_dependabot_prs.rb

If you want to do a dry run:

bundle exec ruby bin/merge_dependabot_prs.rb --dry-run

The repo also ships with a “doctor” script to help you to debug individual PRs and why they did or did not auto-merge.

bundle exec ruby bin/pr_doctor.rb https://github.com/alphagov/content-data-api/pull/1996

Further documentation

• ADR 1: Limited team access to avoid privilege escalation
• ADR 2: Do not merge subdependency updates
• ADR 3: GitHub Access Token scope
• ADR 4: Ignore subdependencies

Licence

MIT LICENCE.